This document describes Slurm authentication plugins and the API that defines them. It is intended as a resource to programmers wishing to write their own Slurm authentication plugins.
Slurm authentication plugins are Slurm plugins that implement the Slurm authentication API described herein. They must conform to the Slurm Plugin API with the following specifications:
const char plugin_type
The major type must be "auth." The minor type can be any recognizable abbreviation for the type of authentication. We recommend, for example:
- none — A plugin that implements the API without providing any actual authentication service. This may be used for testing purposes, but is not suitable for production use due to lack of effective security.
- munge — LLNL's Munge protocol (recommended plugin for production use).
const char plugin_name
Some descriptive name for the plugin. There is no requirement with respect to its format.
const uint32_t plugin_version
If specified, identifies the version of Slurm used to build this plugin and any attempt to load the plugin from a different version of Slurm will result in an error. If not specified, then the plugin may be loaded by Slurm commands and daemons from any version, however this may result in difficult to diagnose failures due to changes in the arguments to plugin functions or changes in other Slurm functions used by the plugin.
The programmer is urged to study src/plugins/auth/none/auth_none.c for an example implementation of a Slurm authentication plugin.
The implementation must support an opaque class, which it defines, to be used as an authentication "credential." This class must encapsulate all user-specific information necessary for the operation of the API specification below. The credential is referred to in Slurm code by an anonymous pointer (void *).
The following functions must appear. Functions which are not implemented should be stubbed.
int init (void)
Called when the plugin is loaded, before any other functions are called. Put global initialization here.
SLURM_SUCCESS on success, or
SLURM_ERROR on failure.
void fini (void)
Called when the plugin is removed. Clear any allocated storage here.
Note: These init and fini functions are not the same as those described in the dlopen (3) system library. The C run-time system co-opts those symbols for its own initialization. The system _init() is called before the Slurm init(), and the Slurm fini() is called before the system's _fini().
void *slurm_auth_create(char *auth_info);
Description: Allocates from the free store an anonymous credential object and returns a pointer to it. The pointer should be valid until passed to slurm_auth_destroy() for disposal. Slurm will not pass credentials to the API which have not been allocated by this function.
argv (input) plugin specific information. auth_info (input) plugin specific identification of the server.
Returns: A pointer to a newly allocated credential if successful. On failure, the plugin should return NULL and set its errno to an appropriate value to indicate the reason for failure.
int slurm_auth_destroy (void *cr);
Description: Deallocates a credential that was allocated with slurm_auth_alloc() and any associated storage that has been allocated for it during its use.
Arguments: cr (input) pointer to the credential that is to be deallocated. Cannot be NULL.
Returns: SLURM_SUCCESS if successful. On failure, the plugin should return SLURM_ERROR and set the errno to an appropriate value to indicate the reason for failure.
int slurm_auth_verify (void *cr, char *auth_info );
Description: Verifies that a credential is in order and correctly identifies the associated user. It also verifies that the credential has not expired. If verification is successful, the return values of slurm_auth_get_uid() and slurm_auth_get_gid() in subsequent calls must correspond to the actual verified system UID and GID of the user associated with the credential. Verification must fail if the credential has not previously been activated, even if a credential implementation cannot exist in an unactivated state. A credential's valid term is defined at activation and verification must fail if the credential has expired, even if it would otherwise be valid.
cr (input) pointer to the credential which is to be verified. Cannot be NULL.
auth_info (input) plugin specific identification of the server.
Returns: SLURM_SUCCESS if the credential is verified to be in order and has not expired. If the credential cannot be verified, or if the credential has expired, the function should return SLURM_ERROR and set its errno to an appropriate value to indicate the reason for failure.
uid_t slurm_auth_get_uid(void *cred);
gid_t slurm_auth_get_gid (void *cred);
Description: Extracts the numerical UID or GID of the user corresponding to the given credential. Only valid after slurm_auth_verify() has been called on a given credential. An unverified credential does not immediately give rise to an error condition in these functions, but instead will return SLURM_AUTH_NOBODY for the UID and GID. A plugin may consider the lack of verification as an error.
cred (input) pointer to the credential containing the desired identification. Cannot be NULL.
Returns: If successful, the Linux UID (GID) associated with the credential. In case of error, SLURM_AUTH_NOBODY should be returned and errno set appropriately to indicate the cause of the failure.
int slurm_auth_pack (void *cr, Buf buf);
Description: Marshals a credential into a buffer for transmission according to the Slurm packing protocol. All authentication plugins must first pack the plugin_type and then the plugin_version data before any plugin-specific data elements are packed. slurm_auth_pack() and slurm_auth_pack() are strictly reciprocal. The esult of a packing followed by an unpacking must be a functionally equivalent credential. A credential is deemed appropriate for marshalling at any time after its allocation and before its destruction.
cr (input) pointer to the credential to pack.
buf (input/output) the buffer into which the credential should be packed.
Returns: SLURM_SUCCESS if successful. On failure the plugin should return SLURM_ERROR and set the errno to indicate the reason for the failure.
int slurm_auth_unpack (void *cr, Buf buf);
Description: Unmarshals a credential from a buffer according to the Slurm packing protocol into a supplied (and presumed empty) credential object. The unmarshalled credential is not assumed to be activated or verified. The plugin_type and plugin_version data should first be unpacked from the buffer and verified for applicability. The API does not enforce that they must be equivalent, merely compatible. Compatibility is implementation-dependent.
cr (output) pointer to the credential to pack.
buf (input/output) the buffer from which the credential should be unpacked.
Returns: SLURM_SUCCESS if the credential was successfully unpacked. In case of failure, the function should return SLURM_ERROR and set errno appropriately to indicate the cause of the failure. If the function fails, no assumptions are made about the state of the credential except its suitability for destruction via slurm_auth_destroy().
Last modified 7 March 2019